440  Advanced Server Virtualization   e current power state of the virtual machine, whether it is powered on, off , or suspended.   e virtual machine ID (VMID) and the process ID (PID).  is number is useful when trying to locate the virtual machine in the running processes of the host server (either in the Windows Task Manager or the Linux Pro- cess Status).   e number of virtual processors confi gured for the virtual machine.   e average, minimum, and maximum percentage of the GSX Server host processor that the virtual machine used in the previous minute.   e average, minimum, and maximum percentage of the GSX Server host memory that the virtual machine used in the previous minute.   e up time or how long the virtual machine has been powered on and running.   e status of VMware Tools on the virtual machine - whether it is running or not available.   e average number of heartbeats received by a virtual machine.   e IP address of the virtual machine.  Links to modify the virtual machine's hardware and confi guration fi le.   e guest operating system installed inside of the virtual machine.  is information is gathered from the virtual machine's confi guration fi le.   e amount of memory allocated to the virtual machine.   e path to the virtual machine's confi guration fi le (.vmx). The Hardware Tab Clicking on the Hardware tab (see Figure 20.20) lists the virtual hardware for the selected virtual machine.  e virtual hardware is broken out into two catego- ries: Removable Devices and Other Hardware. Removable devices include such Figure 20.20 Virtual Machine Overview—Hard- ware. Marshall_AU3931_C020.indd 440Marshall_AU3931_C020.indd 440 4/13/2006 1:44:17 PM4/13/2006 1:44:17 PM Confi guring VMware GSX Server  441 virtual hardware as the fl oppy drive, DVD/CD-ROM drive, and the network adapter. Other hardware may include such components as the virtual processor and memory, and the virtual disk.  is page allows the virtual hardware for the selected virtual machine to be confi gured by either adding new devices, remov- ing existing devices, or editing existing devices. Figure 20.21 provides a list of additional devices that may be added to a virtual machine. When confi guring the virtual hardware, diff erent options or choices may be available based on the current power state of the virtual machine or the type of component being confi gured. For example, when confi guring a removable de- vice such as a fl oppy drive or a DVD/CD-ROM drive, if the virtual machine is powered off , then the device’s connection status can be toggled on and off . Oth- erwise, the option is grayed out. Likewise, while a virtual machine is powered on, other options such as adding a new device, removing a device, or editing a device may become grayed out as well. When a virtual machine is powered off , the virtual device may also be modifi ed to change the way it functions. For ex- ample, the virtual network adapter allows its network connection to be changed from Bridged to NAT or its virtual device to be modifi ed from vlance to vmxnet. Additionally, a virtual disk may have its disk mode confi guration changed from Persistent to Nonpersistent. Network adapter connection types and virtual disk modes are covered in detail in chapter 22. It is safe to say however, that most vir- tual hardware can only be confi gured while the virtual machine is powered off . The Options Tab  e Options page (see Figure 20.22) allows for review and modifi cation of basic information about the selected virtual machine. It also off ers direct access to the selected virtual machine’s confi guration fi le.  ese confi guration options include the following: Figure 20.21 Add Hardware Device Types. Marshall_AU3931_C020.indd 441Marshall_AU3931_C020.indd 441 4/13/2006 1:44:18 PM4/13/2006 1:44:18 PM 442  Advanced Server Virtualization  Display Name—descriptive name used to identify the virtual machine in the management interface or the console virtual machine listing. As a best practice, the display name should be an informative name to pro- vide some level of detail about the virtual machine, such as its operat- ing system, department, or functional role. The display name can be changed while the virtual machine is either powered on or off.  Guest Operating System—indicates the guest operating system selected during the creation of the virtual machine. While it should match the guest operating system that is installed on the virtual disk, it does not have to match for the virtual machine to power on and function.  erefore, do not assume that what is populated here is in fact the operating system that is installed.  Suspend File Location—specifi es the location of the suspended state fi le. By default, the suspended state fi le is stored in the directory where the virtual machine's confi guration fi le resides. Suspend fi les can become very large in size, therefore it is recommended that the suspend fi le location is stored on a physical disk with enough space to accommodate it.  Enable Logging—indicates whether logging for the virtual machine is en- abled. Logging of a virtual machine may accumulate large amounts of data that in turn may take away precious disk space from a host server, which is one reason to disable logging. However, if a virtual machine crashes or VMware support is needed to troubleshoot a problem with the virtual machine, these log fi les may be required to diagnose the problem.  Run with Debugging Information—indicates whether the virtual machine is running with debugging information. By default, this option is disabled. Enabling this setting will aff ect the performance of the virtual machine; however, if the virtual machine is exhibiting problems, enabling this fea- ture may help troubleshoot the issue. Figure 20.22 Virtual Machine Overview— Options. Marshall_AU3931_C020.indd 442Marshall_AU3931_C020.indd 442 4/13/2006 1:44:18 PM4/13/2006 1:44:18 PM Confi guring VMware GSX Server  443  Startup and Shutdown Options—indicates whether the virtual machine should start when the host server starts or shut down when the host server is shut down.  e virtual machines can also be set to stagger starting up or shutting down so that multiple virtual machines do not all start or stop at the same time, which could cause a performance problem for the host server or the virtual machines on that host server.  Verbose Options—allows the virtual machine's confi guration fi le to be modifi ed directly. VMware recommends only an experienced and ad- vanced user modify the fi le directly. Modifying the confi guration fi le with an incorrect setting can cause the virtual machine to no longer boot. Users and Events Tab  e Users and Events page (see Figure 20.23) contains information that relates to the virtual machine such as currently connected users, permissions of the cur- rent user, and events that have taken place in relation to the virtual machine.  Virtual Machine Console Connections—identifi es a list of users that are connected to the virtual machine either with a console connection or by using a VMware Scripting API.  e list provides the date and time stamp along with the IP address of the user connected to the virtual machine.  is feature provides important information when trying to determine security issues related to access of a virtual machine.  Permissions—indicates what abilities the currently logged in user has on the virtual machine.  e following options are either allowed or denied. Figure 20.23 Virtual Machine Overview—Users and Events. Marshall_AU3931_C020.indd 443Marshall_AU3931_C020.indd 443 4/13/2006 1:44:18 PM4/13/2006 1:44:18 PM 444  Advanced Server Virtualization 1. View virtual machine status 2. Modify virtual machine confi guration 3. Control virtual machine (powering it on, off , or suspending it)  Events—displays a log of the 15 most recent actions or events record- ed for the virtual machine.  e log shows date and time stamps for the event along with an explanation. Information can include a power state change on the virtual machine (powered on, off , or suspended), errors produced, or GSX Server question and answer information.  e event log retrieves its data from the log fi le for the virtual machine's confi guration fi le. By default, this log fi le is stored in the virtual machine's directory. On a Windows host, the default directory is <installdrive>:\Virtual Machines\ <guestOS>. On a Linux host, the default directory is /var/lib/vmware/ Virtual Machines/<guestOS>. Many of these events are also tracked on a Windows host server in the Windows Event Viewer under the Application log using VMware GSX Server as the source and Virtual machines as the category. Security In the past, the computer industry has been focused on security, primarily being concerned with defending against external threats. Perimeters were created to help ward off these threats by introducing various tools such as antivirus soft- ware, fi rewalls and intrusion detection and prevention systems. However, as the human factor (namely end users) grew within the industry, security problems were faced on two fronts: servers still needed protection from external threats more than ever, but now they also needed protection against threats from within. Add virtualization into the server mix and security concerns become that much more exasperated. Why? With the addition of the GSX Server environment into the physical environment, both the guest operating system and the host operat- ing system must deal with security concerns and issues. In order to properly secure a host and guest operating system in a GSX Server environment, it is important to undergo proper planning when creating virtual machines. In other words, it is important to fully understand the role and func- tion of all virtual machines that are created. For example, a virtual machine or group of virtual machines created to test an application may be confi gured in an isolated network environment.  is confi guration may not cause as much secu- rity alarm as a virtual machine that is created to act as the production network domain controller. Additionally, a virtual machine acting as a Web server may raise even more alarm since it is being directly accessed by unknown users from the Internet.  is section will outline the various methods to help deal with the security concerns and issues brought about with the introduction of virtualiza- tion. Marshall_AU3931_C020.indd 444Marshall_AU3931_C020.indd 444 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM Confi guring VMware GSX Server  445 Securing the Host Server  is section describes a number of methods to properly secure the GSX Server host. Keep in mind, the GSX Server host is still a physical server. Any normal best practices used to secure other physical servers in the environment should also be followed, unless it negatively impacts something required for VMware GSX Server to operate properly. Antivirus Software A Windows host operating system exposed to the outside world needs to have virus protection installed. It is important to monitor the performance of the host server, to make sure that real-time virus scanning does not interfere with the virtualization processes or the virtual machines. If performance is running too high, it might make sense to change the real-time virus scanning to only scan modifi ed fi les. It is also important to disable scanning any of the following by us- ing an exclusion rule: the installation path of GSX Server and any virtualization fi les such as virtual disk fi les, suspend fi les, confi guration fi les, fl oppy images and ISO images. Prevent Virtual Machines from Running in Full Screen Mode On a Linux host server, the vmware-remotemks binary (the program that al- lows the VMware Virtual Machine Console to connect to a GSX Server host remotely) runs as root with the setuid bit set.  is allows a virtual machine to enter full screen mode. To disable the setuid bit and keep the program from run- ning as root, switch to the root user and change to the directory where vmware- remotemks was installed.  e default location is /usr/bin. Type the following command at a terminal: chmod -Xs vmware-remotemks Doing so will increase host security, but the down side to disabling the setuid bit is that virtual machines on the host server will no longer be able to enter full screen mode. Network Segmentation Depending on the role of the virtual machines, it may be a good idea to seg- ment the physical servers from the virtual machines by creating multiple net- works at the physical switch. If the virtual machines are being created for some other purpose other than production environment resources, segmenting the two networks (physical and virtual) will help to secure the production environ- ment from loosely controlled virtual machines that may not be up to production security standards. Marshall_AU3931_C020.indd 445Marshall_AU3931_C020.indd 445 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM 446  Advanced Server Virtualization Securing IIS for GSX Server for Windows Hosts GSX Server for Windows uses Microsoft’s Internet Information Server (IIS) to host the VMware Management Interface. In order to maintain security, com- monly used best practices to secure IIS should be followed. In addition to these best practices, the following suggestions can also be used to help secure the en- vironment.  Do not host other Web sites on the GSX Server host machine. Web sites should be hosted on nonvirtualization-based physical servers or within virtual machines.  With the exception of the VMware Management Interface Web site, all other Web, FTP and SMTP services listed in the IIS Manager should be removed.  IP address restrictions can be used to limit access to the management in- terface. 1. In IIS Manager, in the Web Sites directory, right click the management interface Web site and then select Properties. 2. Click the Directory Security tab. 3. Click Edit in the IP address and domain name restrictions section. 4. Click either Granted access or Denied access. When selecting Denied access, access to all computers and domains are denied. When selecting Granted access, access to all computers and domains are granted, except to those specifi cally denied access. 5. Click Add and then select either Single computer or Group of computers. 6. Enter either the IP address or the Network ID and Subnet mask and then click OK.  Increase the VMware Management Interface application protection op- tion from Low (IIS Process) to High (Isolated).  is setting helps reduce the risk of compromise by any unforeseen vulnerability within the man- agement scripts. 1. In IIS Manager, in the Web Sites directory, right click the management interface Web site and then select Properties. 2. Click the Home Directory tab. 3. Set the value for Application Protection to High. 4. Click OK to confi rm the settings change. 5. Stop and start the IIS service to allow the change to take eff ect.   e confi gured IIS fi le extensions used by the VMware Management In- terface scripts do not perform a check to see if the script fi le exists before attempting to execute it.  ere could be a security risk allowing a remote user to invoke the script interpreter without needing to pass it a legitimate fi le that exists. To circumvent this potential security problem, the Check that fi le exists option should be enabled in the fi le extension mappings for .pl and .xvm. Marshall_AU3931_C020.indd 446Marshall_AU3931_C020.indd 446 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM Confi guring VMware GSX Server  447 1. In IIS Manager, in the Web Sites directory, right click the management interface Web site and then select Properties. 2. Click the Home Directory tab and then click Confi guration. 3. Under Application Extensions, select .pl and then click Edit. Select the Check that fi le exists option and then click OK. 4. Under Application Extensions, select .xvm and then click Edit. Select the Check that fi le exists option and then click OK. 5. Click OK to confi rm the settings changes. 6. Stop and start the IIS service to allow the change to take eff ect. Securing Connections with SSL By default, GSX Server 3 has SSL enabled for secure connections using both the VMware Virtual Machine Console and the VMware Management Inter- face. Using SSL for the console and the management interface connection keeps the network traffi c secure by encrypting the username, password and network packets sent to the GSX Server host. With SSL enabled, GSX Server creates its own security certifi cates and stores them on the host server. Unfortunately, these certifi cates are not signed by a trusted certifi cate authority, and therefore do not provide authentication. If encryption is needed across remote connections ex- ternally, a certifi cate from a trusted certifi cate authority should be purchased. To use a purchased security certifi cate, use the information below.  On a Windows host, run the Microsoft Management Console (MMC) and select the purchased certifi cate. If the VMware Management Interface is ever upgraded, the certifi cate will need to be reassigned to the manage- ment interface.  On a Linux host, copy the purchased certifi cate for the VMware Manage- ment Interface to /etc/vmware-mui/ssl.  e management interface certifi - cate consists of two fi les: the certifi cate is the mui.crt fi le and the private key is the mui.key fi le.  e private key fi le should be assigned permissions so that only the root user can read it. If the management interface is up- graded or removed on a Linux host, the certifi cate and directory remain in place. Restricting Virtual Machine and Virtual Disk Creation Any user with access to the GSX Server host, by default, has the ability to create a virtual machine or a virtual disk fi le on the host server. While many users may be allowed to access the host server, as a security precaution for the host server and all running virtual machines, the number of users allowed to create virtual machines or disk fi les should be limited. Without any controls in place, a user may accidentally consume too much disk space on the host server or add an un- Marshall_AU3931_C020.indd 447Marshall_AU3931_C020.indd 447 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM 448  Advanced Server Virtualization patched virtual machine that could cause security problems for the other virtual machines or physical machines on the same network. To restrict the ability to create a virtual machine or virtual disk on the host server, the following steps should be performed: 1. On the GSX Server host, create a fi le and assign it a name (referred to as <name> going forward). 2. Assign write permissions to <name>, only to the users and/or groups that are allowed to create a virtual machine or virtual disk on that host server. 3. Use a text editor to modify the GSX Server confi guration fi le. If the host server is a Windows server, the fi le is C:\Documents and Settings\All Us- ers\Application Data\VMware\VMware GSX Server\confi g.ini. If the host server is a Linux server, the fi le is /etc/vmware/confi g. 4.  e following lines should be added to the confi guration fi le: Serverd.doCreateCheck = “TRUE” Serverd.createCheckFile = “<name>” Where <name> is the name of the fi le created in Step 1. 5. Save the fi le and then close and exit the text editor. 6. On a Windows host, restart the VMware Registration Service by open- ing the Services console, right click the service and select Restart. On a Linux host, restart the vmware-serverd process with the following command: kill -TERM `pidof vmware-serverd` If the vmware-serverd process does not restart automatically, reboot the GSX Server host. Now, only users or members of the group with write access to the <name> fi le can create virtual machines or virtual disk fi les on the host server. If a change is made to the user or group list in the fi le permissions of <name>, then Step 6 will need to be executed again to update the GSX Server host with the permission changes. Disabling Guest Operating System Logging Virtual machines can log troubleshooting data into a log fi le stored on the host server’s disk drive.  ese log fi les are not secured. Any user or process in the vir- tual machine can maliciously use this logging process to cause large amounts of data to be logged.  e data may eventually grow large enough to fi ll up the host server’s hard disk, thereby leading to a denial of service. To secure the host, this logging feature can be disabled on the host server by adding the following line to each virtual machine’s confi guration fi le: isolation.tools.log.disable = TRUE Marshall_AU3931_C020.indd 448Marshall_AU3931_C020.indd 448 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM Confi guring VMware GSX Server  449 If you disable this logging feature, VMware Support may not be able to provide any help troubleshooting problems that might arise. Logging may need to be re-enabled and the prob- lem may then need to be reproduced. Keep in mind, this op- tion only disables logging from the guest operating system and does not disable logging generated by GSX Server. Changing the Console Port Number By default, the VMware Virtual Machine Console connects to the GSX Server host and its virtual machines on port 902. If this port is already used for another application, deemed a security risk because it is a default port, or if the port number needs to be diff erent per host because diff erent groups of users are ac- cessing diff erent host servers then the port number should be changed on the host and the remote console accessing it. Changing the Port Number on a Windows Host or Client In order to change the port number on a GSX Server for Windows host server, the following line must be added to the confi g.ini fi le located in C:\Documents and Settings\All Users\Application Data\VMware\VMware GSX Server: authd.port = <NewPort> Where <NewPort> is the modifi ed port number that all consoles need to use to properly connect to the GSX Server host or its virtual machines. In order to change the port number used by the console, whether on the Windows host server or client, a confi g.ini fi le must be created and placed in C:\ Documents and Settings\All Users\Application Data\VMware\VMware Virtual Machine Console.  e following line should be added to the fi le: authd.client.port = <NewPort> Where <NewPort> is the modifi ed port number that all consoles need to use to properly connect to the GSX Server host or its virtual machines.  e authd. port on the GSX Server host must have this same port number assigned. To assign the port number to a specifi c user that is using the console installed locally on the Windows host server, add the following line to the preferences. ini fi le located in C:\Documents and Settings\<user name>\Application Data\ VMware: authd.client.port = <NewPort> Where <NewPort> is the modifi ed port number that only this specifi ed user account will use to properly connect to the GSX Server host or its virtual ma- chines.  e authd.port on the GSX Server host must have this same port num- ber assigned in the confi g.ini fi le. Marshall_AU3931_C020.indd 449Marshall_AU3931_C020.indd 449 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM [...]... mouse and keyboard are now active within the virtual machine window To release focus, GSX Server uses a default key combination, CTRL+ALT To regain focus within the virtual machine window, simply click the mouse pointer inside the window The mouse grab will once again activate, and focus is retained inside of the virtual machine Once VMware Tools is installed, full mouse integration is enabled and the. .. created, complete the following steps: 1 Select the virtual machine in a console and then select VM > Settings to open the virtual machine settings editor 2 Click the Options tab and then click Permissions 3 To mark the virtual machine as private, activate the checkbox next to Make this virtual machine private 4 Click OK to save the settings and close the settings editor window Virtual Machines and File Permissions...450 Advanced Server Virtualization Changing the Port Number on a Linux Host or Client In order to change the port number on a GSX Server for Linux host server, the first step is to determine whether the host server is configured to use xinetd or inetd If the host server is using xinetd, the following line located in /etc/xinetd/ vmware- authd must be changed: port = 902 Change the port number to the new... machine, the GSX Server console window does not use full mouse integration Until the tools are installed, VMware uses a focus or mouse grab feature whereby selecting the virtual machine window by clicking the mouse pointer inside the window, the focus is shifted from the host operating system to the guest operating system The Marshall_AU3931_C021.indd 471 4/13/2006 1:44:56 PM 472 Advanced Server Virtualization. .. steps on installing a Windows Server 2003 and a Red Hat Linux 9.0 guest operating system Figure 21.15 Attaching CD/ROM Media Marshall_AU3931_C021.indd 470 4/13/2006 1:44:56 PM Creating a VMware GSX Server Virtual Machine 471 Installing a Windows Guest Operating System GSX Server supports a wide array of Microsoft Windows operating systems Continuing with the earlier example, a Windows Server 2003 Standard... outside of the virtual machine window by moving the mouse cursor to the host operating system without the need for the CTRL+ALT key combination When the Windows installation finishes and reboots, to log on to the system, VMware remaps the CTRL+ALT+DELETE key combination to CTRL+ALT+INSERT The key combination can also be passed to the virtual machine by using the menu system in the console, selecting VM... to the virtual machine’s configuration file On a Windows host server, when a user connects to the VMware Virtual Machine Console or the VMware Management Interface, the VMware Authorization Service requests a username and password for authentication On a Linux host server, the VMware authentication daemon (vmware- authd) requests a username and password and then passes them to the Linux Pluggable Authentication... server Read; and on a Linux host server read (r) permission Interacting with a virtual machine allows the user to change the virtual machine's power state or connect and disconnect removable devices To interact with a virtual machine, the user must have the following permissions: on a Windows host server Read & Execute; and on a Linux host server read and execute (r and x) Configuring a virtual machine allows the. .. add and remove virtual hardware to and from a virtual machine To configure a virtual machine, the user must have the following permissions: on a Windows host server Read and Write permissions for the virtual machine's configuration file as well as the virtual machine resources; and on a Linux host server read and write (r and w) An administrator or root user may configure the GSX Server host or any virtual. .. working virtual machine This section will cover step-by-step instructions using the Virtual Machine Console method To illustrate, the following steps can be used to create a new virtual machine using the New Virtual Machine Wizard option located in the console New Virtual Machine Wizard To create a new virtual machine: 1 Launch the VMware Virtual Machine Console 2 Select File > New Virtual Machine . created the virtual machine can see it in the inventory of the host server. Other users cannot browse to the virtual machine or add it to their inventory.  erefore, marking the virtual machine. both the VMware Virtual Machine Console and the VMware Management Inter- face. Using SSL for the console and the management interface connection keeps the network traffi c secure by encrypting the. the GSX Server host or its virtual machines. If the host server is using inetd, the following line located in /etc/inetd.conf must be changed: 902 … vmware- authd Change the port number to the